The users and groups in the VMware Identity Manager service are imported from your enterprise directory or are created as local users and groups in the VMware Identity Manager administration console.

Users in the VMware Identity Manager service can be users that are synced from your enterprise directory, local users that you provision in the admin console, or users added with just-in-time provisioning.

Users imported from your enterprise directory are updated in the VMware Identity Manager directory according to your server synchronization schedule. You cannot edit or delete users that sync from Active Directory.

You can create local users and groups. Local users are added to a local directory on the service. You manage the local user attribute mapping and password policies. You can create local groups to manage resource entitlements for users.

Users added with just-in-time provisioning are added and updated dynamically when the user logs in based on SAML assertions sent by the identity provider. All user management is handled through SAML assertions. To use just-in-time provisioning, see Just-in-Time User Provisioning.

Groups in the VMware Identity Manager service can be groups that are synced from your enterprise directory and local groups that you create in the admin console. Active Directory group names sync to the directory according to your sync schedule. The users in these groups are not synced to the directory until a group is entitled to resources or a group is added to the access policy rules. You cannot edit or delete groups that sync from Active Directory.

In the administration console, the Users & Groups pages provides a user-and-group-centric view of the service. You can manage users and groups and monitor resource entitlements, group affiliations, and VMware Verify phone numbers. For local users, you also can manage the password policy.